CVE Catalog

CVE-2026-58373

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A vulnerability in CVAT before version 2.69.0 in the QualityReportViewSet.get_queryset allows authenticated attackers to enumerate quality report identifiers belonging to other organizations. The missing check_object_permissions call on the parent_id parameter in the quality reports API endpoint enables distinguishing existing and non-existing reports via HTTP 500 vs 404 responses.

Risk Assessment

The risk involves disclosure of the existence of quality reports in other organizations, potentially leading to information leakage about projects and sensitive data. Attackers can map organizational structure without accessing report content.

Recommendation

Immediately update CVAT to version 2.69.0 or later, which includes a fix for the missing authorization. In the interim, restrict access to the quality reports API to trusted users only.

Original NVD description (English source)

CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS